Javascritpt eslint security

deployments/dockerfiles/eslint/.semver.yaml

@@ -0,0 +1,4 @@
+alpha: 0
+beta: 0
+rc: 0
+release: v0.0.1

deployments/dockerfiles/eslint/Dockerfile

@@ -0,0 +1,18 @@
+# Copyright 2020 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM node
+
+RUN npm install -g eslint
+RUN npm install -g eslint-plugin-security

development-kit/pkg/entities/analyser/eslint/output.go

@@ -0,0 +1,37 @@
+// Copyright 2020 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package eslint
+
+type Message struct {
+	RuleID    string `json:"ruleId"`
+	Severity  int    `json:"severity"`
+	Message   string `json:"message"`
+	Line      int    `json:"line"`
+	Column    int    `json:"column"`
+	NodeType  string `json:"nodeType"`
+	MessageID string `json:"messageId"`
+	EndLine   int    `json:"endLine"`
+	EndColumn int    `json:"endColumn"`
+}
+
+type Output struct {
+	FilePath            string     `json:"filePath"`
+	Messages            *[]Message `json:"messages"`
+	ErrorCount          int        `json:"errorCount"`
+	WarningCount        int        `json:"warningCount"`
+	FixableErrorCount   int        `json:"fixableErrorCount"`
+	FixableWarningCount int        `json:"fixableWarningCount"`
+	Source              string     `json:"source"`
+}

development-kit/pkg/enums/tools/tools.go

@@ -31,6 +31,7 @@ const (
 	GitLeaks         Tool = "GitLeaks"
 	TfSec            Tool = "TfSec"
 	Semgrep          Tool = "Semgrep"
+	Eslint           Tool = "Eslint"
 )
 
 func (t Tool) ToString() string {

horusec-cli/internal/controllers/analyser/analyser.go

@@ -45,6 +45,7 @@ import (
 	"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/generic/semgrep"
 	"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/golang/gosec"
 	"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/hcl"
+	"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/javascript/eslint"
 	"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/javascript/npmaudit"
 	"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/javascript/yarnaudit"
 	"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/leaks/gitleaks"
@@ -218,9 +219,10 @@ func (a *Analyser) detectVulnerabilityKotlin(projectSubPath string) {
 }
 
 func (a *Analyser) detectVulnerabilityJavascript(projectSubPath string) {
-	a.monitor.AddProcess(2)
+	a.monitor.AddProcess(3)
 	go yarnaudit.NewFormatter(a.formatterService).StartAnalysis(projectSubPath)
 	go npmaudit.NewFormatter(a.formatterService).StartAnalysis(projectSubPath)
+	go eslint.NewFormatter(a.formatterService).StartAnalysis(projectSubPath)
 }
 
 func (a *Analyser) detectVulnerabilityPython(projectSubPath string) {

horusec-cli/internal/services/formatters/javascript/eslint/config.go

@@ -0,0 +1,43 @@
+// Copyright 2020 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package eslint
+
+const (
+	ImageName = "horuszup/eslint"
+	ImageTag  = "latest"
+	ImageCmd  = `
+		{{WORK_DIR}}
+		eslint \
+			--no-eslintrc \
+			-f json \
+			--resolve-plugins-relative-to /usr/local/lib/node_modules \
+			--plugin security \
+			--rule 'security/detect-buffer-noassert: warn' \
+			--rule 'security/detect-child-process: warn' \
+			--rule 'security/detect-disable-mustache-escape: warn' \
+			--rule 'security/detect-eval-with-expression: warn' \
+			--rule 'security/detect-new-buffer: warn' \
+			--rule 'security/detect-no-csrf-before-method-override: warn' \
+			--rule 'security/detect-non-literal-fs-filename: warn' \
+			--rule 'security/detect-non-literal-regexp: warn' \
+			--rule 'security/detect-non-literal-require: warn' \
+			--rule 'security/detect-object-injection: warn' \
+			--rule 'security/detect-possible-timing-attacks: warn' \
+			--rule 'security/detect-pseudoRandomBytes: warn' \
+			--rule 'security/detect-unsafe-regex: warn' \
+			"**/*.js" > /tmp/results.json
+		cat /tmp/results.json
+	`
+)

horusec-cli/internal/services/formatters/javascript/eslint/formatter.go

@@ -0,0 +1,161 @@
+// Copyright 2020 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package eslint
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/ZupIT/horusec/development-kit/pkg/entities/analyser/eslint"
+	"github.com/ZupIT/horusec/development-kit/pkg/entities/horusec"
+	"github.com/ZupIT/horusec/development-kit/pkg/enums/languages"
+	"github.com/ZupIT/horusec/development-kit/pkg/enums/severity"
+	"github.com/ZupIT/horusec/development-kit/pkg/enums/tools"
+	jsonUtils "github.com/ZupIT/horusec/development-kit/pkg/utils/json"
+	"github.com/ZupIT/horusec/development-kit/pkg/utils/logger"
+	vulnhash "github.com/ZupIT/horusec/development-kit/pkg/utils/vuln_hash"
+	dockerEntities "github.com/ZupIT/horusec/horusec-cli/internal/entities/docker"
+	"github.com/ZupIT/horusec/horusec-cli/internal/helpers/messages"
+	"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters"
+)
+
+type Formatter struct {
+	formatters.IService
+}
+
+func NewFormatter(service formatters.IService) formatters.IFormatter {
+	return &Formatter{
+		service,
+	}
+}
+
+func (f *Formatter) StartAnalysis(projectSubPath string) {
+	if f.ToolIsToIgnore(tools.Eslint) {
+		logger.LogDebugWithLevel(messages.MsgDebugToolIgnored+tools.Eslint.ToString(), logger.DebugLevel)
+		return
+	}
+
+	err := f.executeDockerContainer(projectSubPath)
+	f.LogAnalysisError(err, tools.Eslint, projectSubPath)
+
+	f.SetLanguageIsFinished()
+}
+
+func (f *Formatter) executeDockerContainer(projectSubPath string) error {
+	f.LogDebugWithReplace(messages.MsgDebugToolStartAnalysis, tools.Eslint)
+
+	output, err := f.ExecuteContainer(f.getDockerConfig(projectSubPath))
+	if err != nil {
+		f.SetAnalysisError(err)
+		return err
+	}
+
+	f.processOutput(output)
+	f.LogDebugWithReplace(messages.MsgDebugToolFinishAnalysis, tools.Eslint)
+
+	return nil
+}
+
+func (f *Formatter) getDockerConfig(projectSubPath string) *dockerEntities.AnalysisData {
+	return &dockerEntities.AnalysisData{
+		Image:    ImageName,
+		Tag:      ImageTag,
+		CMD:      f.AddWorkDirInCmd(ImageCmd, projectSubPath, tools.Eslint),
+		Language: languages.Javascript,
+	}
+}
+
+func (f *Formatter) processOutput(output string) {
+	if output == "" {
+		logger.LogDebugWithLevel(
+			messages.MsgDebugOutputEmpty, logger.DebugLevel, map[string]interface{}{"tool": tools.Eslint.ToString()})
+		return
+	}
+
+	eslintOutput, err := f.parseOutput(output)
+	if err != nil {
+		return
+	}
+
+	f.concatOutputIntoAnalysisVulns(eslintOutput)
+}
+
+func (f *Formatter) parseOutput(output string) (eslintOutput *[]eslint.Output, err error) {
+	err = jsonUtils.ConvertStringToOutput(output, &eslintOutput)
+	logger.LogErrorWithLevel(f.GetAnalysisIDErrorMessage(tools.GoSec, output), err, logger.ErrorLevel)
+	return eslintOutput, err
+}
+
+func (f *Formatter) concatOutputIntoAnalysisVulns(output *[]eslint.Output) {
+	for _, file := range *output {
+		for _, message := range *file.Messages {
+			vuln := f.parseOutputToVuln(file.FilePath, file.Source, message)
+
+			vulnhash.Bind(vuln)
+			f.setCommitAuthor(vuln)
+
+			f.setIntoAnalysisVulns(vuln)
+		}
+	}
+}
+
+func (f *Formatter) parseOutputToVuln(filePath, source string, message eslint.Message) *horusec.Vulnerability {
+	return &horusec.Vulnerability{
+		File:         filePath,
+		Line:         fmt.Sprintf(`%d`, message.Line),
+		Column:       fmt.Sprintf(`%d`, message.Column),
+		Language:     languages.Javascript,
+		SecurityTool: tools.Eslint,
+		Details:      message.Message,
+		Code:         f.getCode(source, message.Line, message.EndLine),
+		Severity:     severity.Low,
+	}
+}
+
+func (f *Formatter) setCommitAuthor(vuln *horusec.Vulnerability) *horusec.Vulnerability {
+	commitAuthor := f.GetCommitAuthor(vuln.Line, vuln.File)
+	vuln.CommitAuthor = commitAuthor.Author
+	vuln.CommitEmail = commitAuthor.Email
+	vuln.CommitHash = commitAuthor.CommitHash
+	vuln.CommitMessage = commitAuthor.Message
+	vuln.CommitDate = commitAuthor.Date
+
+	return vuln
+}
+
+func (f *Formatter) setIntoAnalysisVulns(vuln *horusec.Vulnerability) {
+	f.GetAnalysis().AnalysisVulnerabilities = append(f.GetAnalysis().AnalysisVulnerabilities,
+		horusec.AnalysisVulnerabilities{
+			Vulnerability: *vuln,
+		})
+}
+
+func (f *Formatter) getCode(source string, line, endLine int) string {
+	var result string
+	startLine := line - 1
+	lines := strings.Split(source, "\n")
+
+	for i, line := range lines {
+		if i >= startLine && i <= endLine {
+			result += line
+		}
+
+		if i > endLine {
+			break
+		}
+	}
+
+	return result
+}